PoliclyPolicly
← All samples
Sample preview. Placeholders in [brackets] are replaced automatically with your answers from the post-purchase customisation form.
Sample

ISO 27001 Essentials

Acceptable Use Policy

Document 1 of [number of documents in suite] · One-time £20 for the full suite

1. Purpose

This Acceptable Use Policy (AUP) sets out the rules for using [Company Name] information systems, networks, devices and data. It protects both [Company Name] and its users from legal, security and reputational harm.

2. Scope

This policy applies to all employees, contractors, consultants, temporary staff and third parties (collectively "users") who access any [Company Name] system, network, device or information asset, whether on premises, remotely, or via personal devices under an approved BYOD scheme.

3. General principles

Users must:

  • Use [Company Name] systems only for legitimate business purposes (limited, reasonable personal use is tolerated where it does not interfere with work or breach this policy).
  • Comply with all applicable laws, contractual obligations, and [Company Name] policies.
  • Protect the confidentiality, integrity and availability of [Company Name] information.
  • Report suspected misuse, security incidents or vulnerabilities to [Incident Response Lead] without delay.

    • 4. Account and password security

  • Each user is issued an individual account; sharing of credentials is prohibited.
  • Passwords must meet the [Company Name] Password Standard (minimum length, complexity, no reuse across systems).
  • Multi-factor authentication must be enabled where offered.
  • Users must lock their screen when leaving a device unattended.

    • 5. Acceptable use of email and messaging

    Users may not use [Company Name] email or messaging systems to:

  • Send unsolicited bulk mail (spam) or chain letters.
  • Transmit material that is unlawful, defamatory, harassing, discriminatory, obscene or otherwise inappropriate.
  • Send confidential or personal data to external parties without an approved secure channel and lawful basis.
  • Impersonate another person or misrepresent their affiliation.

    • 6. Internet and social media

  • Browsing must comply with the law and [Company Name]'s code of conduct.
  • Users must not access, store or distribute pornographic, extremist, gambling or otherwise prohibited content via [Company Name] networks.
  • Public posts that identify the user as a [Company Name] employee must comply with the [Company Name] Social Media Guidelines.
  • Confidential [Company Name] information must not be disclosed on social media or AI tools.

    • 7. Use of generative AI and external tools

  • Confidential or personal data must not be pasted into public AI tools (e.g. consumer ChatGPT, Claude, Gemini) unless the tool has been approved by [Information Security Manager] under a written agreement that prohibits training on inputs.
  • Approved enterprise AI tools are listed in the [Approved Software Register].
  • Users remain responsible for verifying the accuracy of AI-generated content before relying on it.

    • 8. Software and devices

  • Only software listed in the Approved Software Register, or approved on request, may be installed on [Company Name] devices.
  • Users must not disable or bypass security controls (antivirus, encryption, MDM, firewall).
  • Personal devices used for work (BYOD) must be enrolled in [Company Name]'s MDM and meet the minimum security baseline.
  • Lost or stolen devices must be reported within 24 hours so they can be wiped.

    • 9. Data handling

  • Information must be handled in line with its classification (Public, Internal, Confidential, Restricted) as set out in the Information Classification & Handling Standard.
  • Confidential and Restricted data must not be stored on personal cloud accounts, personal email, USB drives or other unmanaged media.
  • Printed material containing Confidential or Restricted data must be collected promptly and disposed of via secure shredding.

    • 10. Remote and home working

  • Remote access is only via the approved VPN / ZTNA solution with MFA.
  • Users must work in a location where conversations and screens are not visible to unauthorised people.
  • Public Wi-Fi may only be used in conjunction with the [Company Name] VPN.

    • 11. Prohibited activities

    The following are expressly prohibited:

  • Unauthorised access to or scanning of [Company Name] or third-party systems.
  • Introducing malware, viruses, ransomware or destructive code.
  • Circumventing access controls, copying password files, or sniffing network traffic.
  • Using [Company Name] systems for personal commercial gain, cryptocurrency mining, or illegal activity.
  • Infringing the intellectual property rights of others (including unlicensed software, music, video or images).

    • 12. Monitoring

    [Company Name] reserves the right to monitor and log use of its systems, networks and devices for security, compliance and operational purposes, in accordance with applicable law and the [Company Name] Privacy Notice for Workers. Monitoring is proportionate and targeted; routine content inspection of personal communications is not undertaken.

    13. Reporting concerns

    Users must report:

  • Suspected security incidents or data breaches to [Incident Response Lead] / [24/7 Contact Number].
  • Suspected misuse of [Company Name] systems to their line manager or [HR Contact].
  • Concerns about this policy to [Information Security Manager].

    • 14. Enforcement

    Breach of this policy may result in disciplinary action up to and including dismissal, termination of contract, and where appropriate referral to regulators or law enforcement. Civil recovery of losses may also be pursued.

    15. Acknowledgement

    All users are required to acknowledge this AUP on induction and at least annually thereafter. Records of acknowledgement are maintained by [HR Contact].

    Approved by: [Company Owner] Effective date: [Effective Date] Next review: [Review Date]

    Like what you see?

    Get the full ISO 27001 Essentials bundle, tailored to your business, for £20.

    Other samples

    Data Protection PolicyUK Data Protection PolicyAccess Control Policy (AC family)Information Security PolicyExport Compliance Program (ECP)Incident & Breach Response PolicyData Governance Policy (Enterprise Technology)Data Governance Policy (Operational Technology)Data Management PolicyPrivacy Notice (External)